The above process assumes that your ~/.ecryptfs/wrapped-passphrase file is available on this system. If you're using 2-factor authentication and storing this elsewhere, you might need to perform an additional mount and symbolic link to make this file available.

Alternatively, if you're trying to recover data, and you've recorded your mount passphrase properly, you would use

kirkland@ubuntu$ ecryptfs-add-passphrase --fnek

just before the ecryptfs-mount-private bit, to manually enter your passphrase (rather than pulling it from ~/.ecryptfs/wrapped-passphrase).

48 comments:

Thanks for the info. What I would like to know (and I'm sure it is simpler than I realize) is how to do an rsync backup of the encrypted files. When I'm logged into my Jaunty VM with encrypted home, I cannot see the .Private directory. When I boot into an ISO, I can only see the contents of .Private when I use sudo.

I love how these kinds of instructions (the ones that contain seventeen incomprehensible shell commands you wouldn't want to dictate to your grandmother over the phone) inevitably contain the word "simple".

For the instructions themselves I thank you -- they'll certainly come in handy.

I have followed all your instructions above and all function well. I can view the content of my encrypted home folder with the Ubuntu Live-CD Session.But now I have a problem: I don't know how can I save my data outside the encrypted home because I don't be able to connect, for instance, an external usb disk and to access this disk from the terminal. I have tried different ways, but every time the external disk is not readeable, or I can't write to it, and so on.An external disk can be used with the normal "ubuntu" live session user, but not with the "kirkland" user.Have you any suggestion about?

Thanks for the instructions, everything worked as it should. Now i want to move on to more advanced stuff.

I want to do a live backup of my home directory in an unencrypted state. Therefore I put my home directory into an lvm volume, from which I create a snapshot.

I then mount the snapshot and would like to do a "mount -t ecryptfs" to get to a snapshot of the decrypted data. Unfortunately I was not able to figure out how to do this. Maybe you could give me some hints?

Hi Dustin,I keep running into problems at the chroot command. I'm trying to get my encrypted home data off a harddrive I took out of a dead 64bit computer. I'm not sure if it is necessary to do this with a computer with the same architecture or if a 32bit computer is possible. I expected to be able to go into my encrypted file system like in a tar file - but that doesn't seem to be the case...

Hi Dustin, I have a big problem. I have my encrypted home but the partition that had folders /proc and /sys was deleted by a new installation (ubuntu 9.10) there is any wave to access my encrypted data?

Deleted? You can't delete /proc or /sys. Those are virtual filesystems created by the kernel on boot. There's no persistent data stored there. It's recreated every time you boot. If you carefully follow the instructions above, you will have a working /proc and /sys.

I usually use NFS. I'll mount a remote filesystem over the network and then use rsync -aP to copy my decrypted data off of the system.

You should be able to use a USB disk or USB key just fine, too.

Once you have your data mounted and accessible decrypted, open a *new* terminal, running as the ubuntu (administrative) user. This user should be able to write to the USB disk, and see the decrypted data. Use the 'mount' command to find the correct path to the mounted ecryptfs data outside of the chroot.

Thanks for your earlier reply, I still cant mount my home.The home folder has a broken symbolic link, pointing to the /var/lib/ecryptfs/saran folder. This folder does not exist, There any wave to mount my home having only .Private folder?Thanks again.

For Saran, about ecryptfs not being setup properly ... are you using your own account to run the command, or root, or the live ubuntu account? You need to run the command as yourself. I found that out last night.

I'm not sure if this will work for me, since I have 9.10 & Dustin said there's a bug for 9.10, but I'll keep the information in hopes it will work, or at least hopes I won't need it in the future.Two nights ago I had a problem in which Ubuntu stopped booting properly, but last night someone told me to run fsck to fix it, and it did fix it, so I don't need these instructions at the moment.

Dustin: has the fix been edited into the blog post for 9.10 already, or are you still working on that?

Hello Dustin, Following your info. I could see and manipulate any files, but I cannot recovery them. I tried to mount the files encrypted by my other ubuntu partition. I tried to copy the files by this command: wildner@widner-desktop:~$ cp /home/wildner/Mariah\ Carey\ -\ I\ Wanna\ Know\ What\ Love\ Is.mp3 /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos -su: cp: /home/wildner/Mariah Carey - I Wanna Know What Love Is.mp3: Not a directorywildner@widner-desktop:~$ cp /home/wildner/Linux /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos -su: cp: /home/wildner/Linux: No such file or directorywildner@widner-desktop:~$ cp /home/wildner/Linux/*.* /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos-su: cp: /home/wildner/Linux/*.*: No such file or directoryHow do I copy the files to the other partition?

I followed your instructions with a 9.04 CD for a crashed 9.10 installation, and after ecryptfs-mount-private I get:ecryptfs-insert-wrapped-passphrase-into-keyring: error while loading shared libraries: libecryptfs.so.0: cannot open shared object file: No such file or directorywhat to do now?I also tired it with a 9.10 CD, but the result is the same. I have Ubuntu on one ext4 partition

Sweet, thanks Dustin.Note that this will not work with the Karmic 9.10 liveCD although you may be able to replace the ecyptfs package with that from the Jaunty repository (not tested). Also, I had a raid0 array with an lvm2 volume. I first had to enable raid and lvm in Jaunty and then mount my logical volume as follows:sudo -iapt-get updateapt-get install dmraid mdadm lvm2modprobe dm-raid4-5vgchange -a ymount /dev/mapper/"volume name-root" /mntthen continue as above

It sorta' worked for me. If i use the folder GUI browser (nautilus i think its called) my folder is still locked but i can use the terminal to look at a list of what i got and am now trying to copy (cp) to my usb but since i'm not having any success i'm guessing i have to mount my usb too. I have ubuntu 9.10 karmic koala and am new to linux and my HD won't boot. Ubuntu rocks though :p

Hi, Dustin.When I go to "su - User" it responds "No directory, logging in with HOME=/". If I continue with ecryptfs-mount-private, then I receive a message: "ERROR: Encrypted private directory is not setup properly". There is some trick here...

[ until this point all right ]ubuntu@ubuntu:~$ sudo chroot /mntroot@ubuntu:/# <-- answerroot@ubuntu:/# su - rob No directory, logging in with HOME=/To run a command as administrator (user "root"), use "sudo ".See "man sudo_root" for details.

And one really "excellent" way to get yourself into this state is to use superuser privileges to change your password. This can happen if you are the type who keeps multiple passwords in sync and some other place has a more aggressive notion of password security than does Ubuntu. However, if your Ubuntu installation prohibits password changes in quick succession, and if you are an antique UNIX hacker, what do you do? You use superuser privileges to force the password change, what else??? Unfortunately, this brute-force method apparently fails to update ecryptfs's idea of what your password is.

The trick in that case is to use Dustin's excellent workaround above, but give your intermediate password (the one that was deemed too weak by some other password-accepting facility) to ecryptfs-mount-private.

Thanks for the workaround, Dustin!!! Saved me a huge amount of time!!!

It's the thing you are warned to write down somewhere safe when you installed your system. In case you were a bad boy and did not do so, execute "ecryptfs-unwrap-passphrase" in the terminal.Yes you need to do that from within the installation you want to mount. So if you lost your installation you might be in bad luck.

hi dustin,i am working on ubuntu 1.0.04.all my data on my desktop and my /home/suyog has disappeared , and i get this file Access-Your-Private-Data.desktop..how to resolve this ?and i followed the above procedure but i again got a error regarding login passphrase

Hi,I executed the second command(mount -o bind /dev /mnt/dev) from instructions given above. It says: can not create directory 'dev': Read only file system.How to get data back from encrypted /home in 11.04?

Hi DustinIf I create a new user in live cd with the comand ecryptfs-mount-private it finds the directorybut wont accept what was the original user password.YOur instructionsecryptfs-mount-privategives errore private directory is not setup properlyAnyhthing I can do?Thanks

Printfriendly

About the Author

Previously, Dustin was the VP of Product at Canonical, having led the amazing team that delivers Ubuntu, from the Cloud to IoT commercial offerings.

Formerly the CTO of Gazzang, a venture funded start-up acquired by Cloudera, Dustin designed and implemented a key management system for cloud applications, called zTrustee, and delivered comprehensive security for cloud and big data platforms with eCryptfsand other encryption technologies.